Mtons Mblog Reflected Cross-Site Scripting Vulnerability in Admin Panel User List

A reflected cross-site scripting vulnerability has been identified in Mtons Mblog versions up to 3.5.0. The issue arises in the Admin Panel, specifically within the '/admin/user/list' endpoint. The vulnerability is triggered by manipulating the 'name' parameter in the search function, which lacks proper security checks and output encoding. This flaw allows for the injection of malicious scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, access the '/admin/user/list' endpoint in the Admin Panel of Mtons Mblog. Use the search function's 'name' parameter to input a value that includes a script injection, such as an image tag with an 'onerror' event. This will trigger the cross-site scripting vulnerability by executing the injected script in the user's browser.